TrueCrypt Part 2: hidden volumes

Douglas Crawford

September 5, 2013

One of the best features of TrueCrypt is that it allows you plausible deniability. It does this by hiding an encrypted volume inside another TrueCrypt volume in such a way that it impossible to prove the second hidden volume exists (if the correct precautions are taken).

The key to this is that TrueCrypt fills up any empty volume space with random data, and it is impossible to distinguish this random data from a second volume hidden inside a ‘normal’ volume

Even when the outer volume is mounted, it should be impossible to prove that another volume is hidden in the apparently random-data filled ‘free space’. Of course, because this feature of TrueCrypt is well known to data security specialists, it may be suspected that data is hidden, but there is no way to prove it (and thus coerce you into divulging the password for it). You may need to explain why the ‘free’ space in your volume contains random data*, but a highly plausible reason is that you recently securely erased data by overwriting it with random data (a number of tools do this, including TrueCrypt itself).

Please note that this is a beginners guide designed to help get you started using TrueCrypt hidden volumes. If you need to hide highly sensitive data then please carefully consult the official documentation starting here (and take the time to fully understand the implications this information).

*There are tools available that can detect random data, but they cannot prove that it contains hidden TrueCrypt volumes).

Creating a TrueCrypt hidden volume

1. From the TrueCrypt main screen click ‘Create Volume’.

2. Make sure the ‘Create an encrypted file container’ radio button is selected, and click ‘Next’.

3. Select ‘Hidden TrueCrypt volume’ and click next.

4. In the Volume Creation screen you can chose ‘Normal mode’ to make a new normal volume and then create a hidden encrypted volume within it, or ‘Direct mode’ to create a hidden volume inside an already created normal volume. In Part 1 of our TrueCrypt guide we showed you how to create a normal TrueCrypt volume, so for the sake of brevity we’ll opt for ‘Direct mode’ here.

5. Click ‘Select File…’ and navigate to a TrueCrypt container you have created, ‘Open’ it and click ‘Next’. If you chose ‘Normal mode’ at the volume creation screen, you will instead be taken through steps 4 – 8 in the ‘Creating a container’ section of Part 1 of this guide.

6. Enter the (outer) volume’s password.

7. Click ‘Next’ again…

8. Choose how you would like the hidden volume encrypted.

As with creating the outer volume, we’ll just go with the defaults

9. Select the hidden volume size. Again, this is just like when you created the outer volume. Then click ‘Next’.

Our outer volume was 50MB, so we think 20MB is good size to hide our secret files in)

10. Choose a password for the hidden volume. It is extremely important to choose one that is not only highly secure, but also very different from the one you chose for the outer volume. Click ‘Next’.

11. Again, moving your mouse randomly around the window for at least 30 seconds will greatly improve the cryptographic strength of the encryption keys. Click ‘Format’…

…and the hidden volume is created! Hit ‘Exit’.

Protect the data on your hidden volume

When you mount the outer volume (using the outer volume password – see Part 1) you can read data stored on it as per normal, and without risk. However if you write (i.e. save) data onto this outer volume then you may damage data stored on the hidden volume. This can be prevented by taking following steps.

1. Mount the outer volume by entering its password, then click ‘Mount Options’.

Note that this procedure does not mean the hidden volume is mounted, only that its header, containing the size of the hidden volume, is decrypted. Any attempt to save data to the hidden volume is then rejected, and the entire volume (both outer volume and hidden volume) becomes write-protected until remounted. In order to maintain ‘plausible deniability’, TrueCrypt will return an ‘invalid parameter’ system error.

If TrueCrypt is still running, and passwords for both volumes are stored in RAM, then you will receive a waning…

… the drive type is listed as ‘Outer(!)’ in the True Crypt main screen, and if you look in the volume properties (right-click -> Properties) you will see ‘Hidden Volume Protected’ has the ‘Yes (damage prevented)’ value.

Note that if asked to mount the volume by an adversary, and you mount it using the outer volume password (as you should), the Type value would not show ‘Outer’ but ‘Normal’

The volume can be remounted and used as normal, but as the warning notice states, plausible deniability may be compromised so it might be best to create a new TrueCrypt volume and copy your data across.

If possible then, try to not copy more data to the outer partition than there is room for!

Using a hidden volume

The procedure for opening a hidden volume is identical to that for opening a normal TrueCrypt volume (see Part 1), except that instead of entering the password for the outer volume, you enter the password for the hidden volume.

If you enter the password for the outer volume, the volume will appear to be a normal TrueCrypt volume.

* * *

While we love the hidden volumes feature of TrueCrypt, please also see our post outlining the potential pitfalls associated with it.